DPAPI: The Granddaddy of Windows Crypto (and your secrets)

Hey hey, so, n0w lets talk about DPAPI

DPAPI is ‘Data Protection API’ is Windows’ native system for encrypting stuff like saved credentials, cookies, Wi-Fi passwords, and personal certs. Introduced in Windows 2000, it’s the ancient beast that still powers a terrifying amount of “secure storage” in modern Windows.

🧠 Under the Hood

  • Based on per-user Master Keys

  • Master Keys are encrypted using:

    • User’s SHA1-HMAC of NTLM hash

    • Or, for SYSTEM context, with the DPAPI_SYSTEM key

  • Implements via CryptProtectData() and CryptUnprotectData()

  • Uses AES-256-CBC in newer OSes, 3DES in older ones

  • Bound to the user SID, lives at:
    %APPDATA%\Microsoft\Protect\<SID>\masterkey-GUID

If you’ve got the NTLM hash or SYSTEM access — game over.

🔑 Master Keys: Your Skeleton Key to Everything

  • File: %APPDATA%\Microsoft\Protect\<SID>\masterkey-GUID

  • Encrypted with PBKDF2 → HMAC-SHA1 → AES

  • Iterations:

    • WinXP: ~4000

    • Win10+: 10,000+

  • Cached in memory via lsass.exe during login

Yep, you know where this is going. If you dump lsass, you can pull the decrypted MasterKey straight out.

📁 What Can Be Decrypted?

Artifact Location / Storage
Credentials (*.cred) %APPDATA%\Microsoft\Credentials
Chrome/Edge passwords Login Data → SQLite → DPAPI-encrypted fields
Wi-Fi passwords netsh wlan export profile key=clear
Windows Vault %LOCALAPPDATA%\Microsoft\Vault
PFX files (certs + private keys) %APPDATA%\Microsoft\SystemCertificates\My\Certificates
RDP / RDCMan / KeePass configs If they use DPAPI to encrypt creds

🧨 How to Break DPAPI in 4 Steps

  1. Extract blob (*.cred, Chrome DB, etc.)

  2. Get user’s SID and NTLM hash

  3. Extract and decrypt the MasterKey

  4. Decrypt the DPAPI blob

powershell
# SharpDPAPI example
SharpDPAPI masterkey /in:masterkey_file /password:UserPassword
SharpDPAPI blob /mk:DECRYPTED_MK /in:credential.blob

Or use mimikatz like a boss:

bash
mimikatz # sekurlsa::dpapi
mimikatz # dpapi::cred /in:<file>

🤖 Enter DPAPI-NG (Next Generation)

Ah yes, the glow-up. DPAPI-NG (also known as CNG DPAPI) showed up in Win8+ and Server 2012+.

What’s new:

  • Uses CNG (Cryptography Next Gen) API

  • Integrates with Kerberos Armoring (FAST)

  • Tied to:

    • gMSA (Group Managed Service Accounts)

    • VBS (Virtualization-Based Security)

    • Windows Hello for Business

    • KDS root keys

  • Designed for more “context-aware” crypto (e.g., TPM-bound keys)

But the catch:

If you’ve got a Kerberos TGT, the correct PAC, and KDS root key — you can break it too. Offline attacks are harder, not impossible.

🧬 PFX File Decryption via DPAPI

People think PFX (personal certificate with private key) is secured with a password. Nope — often it’s encrypted automatically with DPAPI if imported through the Windows GUI.

Location:

%APPDATA%\Microsoft\Crypto\RSA\<SID>\<GUID>

You can extract and decrypt it just like anything else:

powershell
SharpDPAPI certificates /mk:DECRYPTED_MK
# or
mimikatz crypto::certificates /systemstore:local_machine

🧪 DPAPI Blob Anatomy

Every DPAPI blob contains:

  • dwVersion (1 or 2)

  • GUID of MasterKey

  • Entropy (optional)

  • Encrypted payload

  • MAC (HMAC-SHA1) for integrity

The MasterKey structure:

  • Encrypted with AES/3DES

  • Contains salts, iterations, and HMACs

  • Uses PBKDF2 (with SHA1) to derive KEK

Offline brute-forcing DPAPI is technically feasible if the original password was weak and you’ve got the blob and salt — but with NTLM hash it’s instant.

🛡 Defense: Because Microsoft Knows It’s Broken

What Microsoft recommends:

  • Use Credential Guard to isolate lsass

  • Prefer Windows Hello for Business (TPM + PIN)

  • Encrypt PFX with a real password

  • Disable credential storage in browsers

  • Use Privileged Access Workstations (PAWs) for admins

What pros do:

  • Monitor calls to CryptUnprotectData (event tracing)

  • Block access to lsass.exe from non-EKM processes

  • Prevent dumping tools like mimikatz via EDR/Sysmon rules

  • Stop saving credentials to the Credential Manager, period.

👾 TL;DR

DPAPI is like locking your secrets in a box and leaving the key in your pocket. If someone gets your NTLM hash, SYSTEM access, or dumps lsass — they have everything.

DPAPI-NG tries to be smarter, but it’s still crackable in real-world scenarios, especially in enterprise environments where KDS and Kerberos are abused.